OpsMgr : Certificate for this system is not valid when installing Linux agent

December 4, 2009 at 3:15 pm in Uncategorized by alkin

Today I ran into some Linux agent deployment issues. I needed to monitor about 20 Redhat Machines . In such an environment environment, Kerberos authentication is not possible. Therefore, certificates are used between the management server and the UNIX-based or Linux-based computers.

windows-to-linux

First if you have some Cross-platform agent deployment issues please have a look at the following blog posts:

 

Ok, let’s start!

So after making sure I had all the pre-requisites needed to deploy an Linux agent I launched the discovery wizard

image

But my agent installation failed because the certificate could not be signed.

image

The certificate signing process does the following:

Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent.

image

For an unknow reason my certifcate was not signed and trusted.

 I also got the following error in my event log:

Unexpected ScxCertLibException: Unable to open root store
; input data is: —–BEGIN CERTIFICATE—–
MIIDHjCCAgYCAQEwDQYJKoZIhvcNAQEFBQAwZjEYMBYGA1UEAxMPU0NYLUNlcnRp
ZmljYXRlMTAwLgYDVQQMEydTQ1g2MzMzNzZEMi1FM0UyLTRmMzEtODQ2MS1EMDky

image

 

To solve this problem you need to sign the certificate on your OpsMgr server following this procedure:

 Download and install Winscp on your OpsMgr server.

 Start Winscp and connect to your Linux machine

image

Click yes

image

Browse to /etc/opt/microsoft/scx/ssl

image

Copy the key scx-host-<hostname>.pem  to your opsmgr server.

image

Open the command prompt on your OpsMgr server and change directories to the location where you copied the certificate. Type the command

“scxcertconfig -sign scx-host-<hostname>.pem scx_new.pem”

and then press ENTER. This command will self-sign your certificate (scx-host-<hostname>.pem) and then save the new certificate.

image

Rename your scx_new.pem file with scx-host-<hostname>.ad.pem and replace the original file on your linux server with this file.

image

Connect to your Linux server with putty

image

and type scxadmin –restart

image

This step is very important! If you don’t restart the scxadmin the discovery wizard will still complain about the certificate not being signed!!

 

Now close your discovery wizard and re launch it.

image

The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.Almost immediately you will get a message saying the agent is successfully signed and installed:

image

 

Hope this helps,

Alexandre Verkinderen